[Midnightbsd-cvs] mports [23046] trunk/security/vuxml/vuln.xml: add more security stuff
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sun Mar 4 16:36:13 EST 2018
Revision: 23046
http://svnweb.midnightbsd.org/mports/?rev=23046
Author: laffer1
Date: 2018-03-04 16:36:12 -0500 (Sun, 04 Mar 2018)
Log Message:
-----------
add more security stuff
Modified Paths:
--------------
trunk/security/vuxml/vuln.xml
Modified: trunk/security/vuxml/vuln.xml
===================================================================
--- trunk/security/vuxml/vuln.xml 2018-03-04 21:21:56 UTC (rev 23045)
+++ trunk/security/vuxml/vuln.xml 2018-03-04 21:36:12 UTC (rev 23046)
@@ -28,7 +28,7 @@
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- $FreeBSD: head/security/vuxml/vuln.xml 462088 2018-02-17 09:42:12Z ohauer $
+ $FreeBSD: head/security/vuxml/vuln.xml 463418 2018-03-02 17:01:14Z zi $
QUICK GUIDE TO ADDING A NEW ENTRY
@@ -58,6 +58,992 @@
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="2040c7f5-1e3a-11e8-8ae9-0050569f0b83">
+ <topic>isc-dhcp -- Multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>isc-dhcp44-server</name>
+ <range><lt>4.4.1</lt></range>
+ </package>
+ <package>
+ <name>isc-dhcp44-client</name>
+ <range><lt>4.4.1</lt></range>
+ </package>
+ <package>
+ <name>isc-dhcp43-server</name>
+ <range><le>4.3.6</le></range>
+ </package>
+ <package>
+ <name>isc-dhcp43-client</name>
+ <range><le>4.3.6</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>ISC reports:</p>
+ <blockquote cite="https://kb.isc.org/article/AA-01565">
+ <p>Failure to properly bounds check a buffer used for processing
+ DHCP options allows a malicious server (or an entity
+ masquerading as a server) to cause a buffer overflow (and
+ resulting crash) in dhclient by sending a response containing a
+ specially constructed options section.</p>
+ </blockquote>
+ <blockquote cite="https://kb.isc.org/article/AA-01567">
+ <p>A malicious client which is allowed to send very large amounts
+ of traffic (billions of packets) to a DHCP server can eventually
+ overflow a 32-bit reference counter, potentially causing dhcpd
+ to crash.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-5732</cvename>
+ <cvename>CVE-2018-5733</cvename>
+ <url>https://kb.isc.org/article/AA-01565</url>
+ <url>https://kb.isc.org/article/AA-01567</url>
+ </references>
+ <dates>
+ <discovery>2018-02-21</discovery>
+ <entry>2018-03-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="30704aba-1da4-11e8-b6aa-4ccc6adda413">
+ <topic>libsndfile -- out-of-bounds reads</topic>
+ <affects>
+ <package>
+ <name>libsndfile</name>
+ <name>linux-c6-libsndfile</name>
+ <name>linux-c7-libsndfile</name>
+ <range><lt>1.0.29</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Xin-Jiang on Github reports:</p>
+ <blockquote cite="https://github.com/erikd/libsndfile/issues/317">
+ <p>CVE-2017-14245 (Medium): An out of bounds read in the function
+ d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote
+ DoS attack or information disclosure, related to mishandling of
+ the NAN and INFINITY floating-point values.</p>
+ <p>CVE-2017-14246 (Medium): An out of bounds read in the function
+ d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote
+ DoS attack or information disclosure, related to mishandling of the
+ NAN and INFINITY floating-point values.</p>
+ </blockquote>
+ <p>my123px on Github reports:</p>
+ <blockquote cite="https://github.com/erikd/libsndfile/issues/344">
+ <p>CVE-2017-17456 (Medium): The function d2alaw_array() in alaw.c of
+ libsndfile 1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown
+ address 0x000000000000), a different vulnerability than CVE-2017-14245.</p>
+ <p>CVE-2017-17457 (Medium): The function d2ulaw_array() in ulaw.c of
+ libsndfile 1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown
+ address 0x000000000000), a different vulnerability than CVE-2017-14246.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-14245</cvename>
+ <cvename>CVE-2017-14246</cvename>
+ <url>https://github.com/erikd/libsndfile/issues/317</url>
+ <cvename>CVE-2017-17456</cvename>
+ <cvename>CVE-2017-17457</cvename>
+ <url>https://github.com/erikd/libsndfile/issues/344</url>
+ </references>
+ <dates>
+ <discovery>2017-09-11</discovery>
+ <entry>2018-03-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="2b386075-1d9c-11e8-b6aa-4ccc6adda413">
+ <topic>libsndfile -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>libsndfile</name>
+ <name>linux-c6-libsndfile</name>
+ <name>linux-c7-libsndfile</name>
+ <range><le>1.0.28</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Agostino Sarubbo, Gentoo reports:</p>
+ <blockquote cite="https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-flac_buffer_copy-flac-c/">
+ <p>CVE-2017-8361 (Medium): The flac_buffer_copy function in flac.c in
+ libsndfile 1.0.28 allows remote attackers to cause a denial of service
+ (buffer overflow and application crash) or possibly have unspecified
+ other impact via a crafted audio file.</p>
+ </blockquote>
+ <blockquote cite="https://blogs.gentoo.org/ago/2017/04/29/libsndfile-invalid-memory-read-in-flac_buffer_copy-flac-c/">
+ <p>CVE-2017-8362 (Medium): The flac_buffer_copy function in flac.c in
+ libsndfile 1.0.28 allows remote attackers to cause a denial of service
+ (invalid read and application crash) via a crafted audio file.</p>
+ </blockquote>
+ <blockquote cite="https://blogs.gentoo.org/ago/2017/04/29/libsndfile-heap-based-buffer-overflow-in-flac_buffer_copy-flac-c/">
+ <p>CVE-2017-8363 (Medium): The flac_buffer_copy function in flac.c in
+ libsndfile 1.0.28 allows remote attackers to cause a denial of service
+ (heap-based buffer over-read and application crash) via a crafted audio
+ file.</p>
+ </blockquote>
+ <blockquote cite="https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-i2les_array-pcm-c/">
+ <p>CVE-2017-8365 (Medium): The i2les_array function in pcm.c in libsndfile
+ 1.0.28 allows remote attackers to cause a denial of service (buffer
+ over-read and application crash) via a crafted audio file.</p>
+ </blockquote>
+ <p>manxorist on Github reports:</p>
+ <blockquote cite="https://github.com/erikd/libsndfile/issues/292">
+ <p>CVE-2017-12562 (High): Heap-based Buffer Overflow in the
+ psf_binheader_writef function in common.c in libsndfile through
+ 1.0.28 allows remote attackers to cause a denial of service
+ (application crash) or possibly have unspecified other impact.</p>
+ </blockquote>
+ <p>Xin-Jiang on Github reports:</p>
+ <blockquote cite="https://github.com/erikd/libsndfile/issues/318">
+ <p>CVE-2017-14634 (Medium): In libsndfile 1.0.28, a divide-by-zero
+ error exists in the function double64_init() in double64.c, which
+ may lead to DoS when playing a crafted audio file.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-8361</cvename>
+ <url>https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-flac_buffer_copy-flac-c/</url>
+ <url>https://github.com/erikd/libsndfile/issues/232</url>
+ <url>https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3</url>
+ <cvename>CVE-2017-8362</cvename>
+ <url>https://blogs.gentoo.org/ago/2017/04/29/libsndfile-invalid-memory-read-in-flac_buffer_copy-flac-c/</url>
+ <url>https://github.com/erikd/libsndfile/issues/231</url>
+ <url>https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808</url>
+ <cvename>CVE-2017-8363</cvename>
+ <url>https://blogs.gentoo.org/ago/2017/04/29/libsndfile-heap-based-buffer-overflow-in-flac_buffer_copy-flac-c/</url>
+ <url>https://github.com/erikd/libsndfile/issues/233</url>
+ <url>https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3</url>
+ <url>https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8</url>
+ <cvename>CVE-2017-8365</cvename>
+ <url>https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-i2les_array-pcm-c/</url>
+ <url>https://github.com/erikd/libsndfile/issues/230</url>
+ <url>https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3</url>
+ <cvename>CVE-2017-12562</cvename>
+ <url>https://github.com/erikd/libsndfile/issues/292/</url>
+ <url>https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8</url>
+ <cvename>CVE-2017-14634</cvename>
+ <url>https://github.com/erikd/libsndfile/issues/318</url>
+ <url>https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788</url>
+ </references>
+ <dates>
+ <discovery>2017-04-12</discovery>
+ <entry>2018-03-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e3eeda2e-1d67-11e8-a2ec-6cc21735f730">
+ <topic>PostgreSQL vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>postgresql93-server</name>
+ <range><ge>9.3.0</ge><lt>9.3.22</lt></range>
+ </package>
+ <package>
+ <name>postgresql94-server</name>
+ <range><ge>9.4.0</ge><lt>9.4.17</lt></range>
+ </package>
+ <package>
+ <name>postgresql95-server</name>
+ <range><ge>9.5.0</ge><lt>9.5.12</lt></range>
+ </package>
+ <package>
+ <name>postgresql96-server</name>
+ <range><ge>9.6.0</ge><lt>9.6.8</lt></range>
+ </package>
+ <package>
+ <name>postgresql10-server</name>
+ <range><ge>10.0</ge><lt>10.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The PostgreSQL project reports:</p>
+ <blockquote cite="https://www.postgresql.org/about/news/1834/">
+ <ul>
+ <li>CVE-2018-1058: Uncontrolled search path element in pg_dump and other client applications</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path</url>
+ <cvename>CVE-2018-1058</cvename>
+ </references>
+ <dates>
+ <discovery>2018-03-01</discovery>
+ <entry>2018-03-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6a449a37-1570-11e8-8e00-000c294a5758">
+ <topic>strongswan - Insufficient input validation in RSASSA-PSS signature parser</topic>
+ <affects>
+ <package>
+ <name>strongswan</name>
+ <range><eq>5.6.1</eq></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Strongswan Release Notes reports:</p>
+ <blockquote cite="https://github.com/strongswan/strongswan/blob/master/NEWS">
+ <p>Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that
+ was caused by insufficient input validation. One of the configurable
+ parameters in algorithm identifier structures for RSASSA-PSS signatures is the
+ mask generation function (MGF). Only MGF1 is currently specified for this
+ purpose. However, this in turn takes itself a parameter that specifies the
+ underlying hash function. strongSwan's parser did not correctly handle the
+ case of this parameter being absent, causing an undefined data read.
+ his vulnerability has been registered as CVE-2018-6459.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-6459</cvename>
+ <url>https://github.com/strongswan/strongswan/commit/40da179f28b768ffcf6ff7e2f68675eb44806668</url>
+ </references>
+ <dates>
+ <discovery>2018-01-31</discovery>
+ <entry>2018-02-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="004debf9-1d16-11e8-b6aa-4ccc6adda413">
+ <topic>libsndfile -- out-of-bounds read memory access</topic>
+ <affects>
+ <package>
+ <name>libsndfile</name>
+ <name>linux-c6-libsndfile</name>
+ <name>linux-c7-libsndfile</name>
+ <range><le>1.0.28</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Laurent Delosieres, Secunia Research at Flexera Software reports:</p>
+ <blockquote cite="https://secuniaresearch.flexerasoftware.com/secunia_research/2017-13/">
+ <p>Secunia Research has discovered a vulnerability in libsndfile, which can be
+ exploited by malicious people to disclose potentially sensitive information.
+ The vulnerability is caused due to an error in the "aiff_read_chanmap()" function
+ (src/aiff.c), which can be exploited to cause an out-of-bounds read memory access
+ via a specially crafted AIFF file. The vulnerability is confirmed in version 1.0.28.
+ Other versions may also be affected.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-6892</cvename>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-6892</url>
+ <url>https://secuniaresearch.flexerasoftware.com/secunia_research/2017-13/</url>
+ <url>https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748</url>
+ </references>
+ <dates>
+ <discovery>2017-05-23</discovery>
+ <entry>2018-03-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="af485ef4-1c58-11e8-8477-d05099c0ae8c">
+ <topic>ntp -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.1</ge><lt>11.1_7</lt></range>
+ <range><ge>10.4</ge><lt>10.4_6</lt></range>
+ <range><ge>10.3</ge><lt>10.3_27</lt></range>
+ </package>
+ <package>
+ <name>ntp</name>
+ <range><lt>4.2.8p11</lt></range>
+ </package>
+ <package>
+ <name>ntp-devel</name>
+ <range><gt>0</gt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Network Time Foundation reports:</p>
+ <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S">
+ <p>The NTP Project at Network Time Foundation is releasing ntp-4.2.8p11.</p>
+ <p>This release addresses five security issues in ntpd:</p>
+ <ul>
+ <li>LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil
+ vulnerability: ephemeral association attack</li>
+ <li>INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909:
+ ctl_getitem(): buffer read overrun leads to undefined
+ behavior and information leak</li>
+ <li>LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple
+ authenticated ephemeral associations</li>
+ <li>LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved
+ symmetric mode cannot recover from bad state</li>
+ <li>LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909:
+ Unauthenticated packet can reset authenticated interleaved
+ association</li>
+ </ul>
+ <p>one security issue in ntpq:</p>
+ <ul>
+ <li>MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909:
+ ntpq:decodearr() can write beyond its buffer limit</li>
+ </ul>
+ <p>and provides over 33 bugfixes and 32 other improvements.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-1549</cvename>
+ <cvename>CVE-2018-7182</cvename>
+ <cvename>CVE-2018-7170</cvename>
+ <cvename>CVE-2018-7184</cvename>
+ <cvename>CVE-2018-7185</cvename>
+ <cvename>CVE-2018-7183</cvename>
+ <url>http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S</url>
+ </references>
+ <dates>
+ <discovery>2018-02-27</discovery>
+ <entry>2018-02-28</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="abfc932e-1ba8-11e8-a944-54ee754af08e">
+ <topic>chromium -- vulnerability</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>64.0.3282.167</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2018/02/stable-channel-update-for-desktop_13.html">
+ <p>1 security fix in this release:</p>
+ <ul>
+ <li>[806388] High CVE-2018-6056: Incorrect derived class instantiation in V8. Reported by lokihardt of Google Project Zero on 2018-01-26</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-6056</cvename>
+ <url>https://chromereleases.googleblog.com/2018/02/stable-channel-update-for-desktop_13.html</url>
+ </references>
+ <dates>
+ <discovery>2018-01-26</discovery>
+ <entry>2018-02-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8e986b2b-1baa-11e8-a944-54ee754af08e">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>64.0.3282.119</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2018/01/stable-channel-update-for-desktop_24.html">
+ <p>Several security fixes in this release, including:</p>
+ <ul>
+ <li>[780450] High CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01</li>
+ <li>[787103] High CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20</li>
+ <li>[793620] High CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09</li>
+ <li>[784183] Medium CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein (www.trapkit.de) on 2017-11-12</li>
+ <li>[797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23</li>
+ <li>[797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23</li>
+ <li>[753645] Medium CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on
+ 2017-08-09</li>
+ <li>[774174] Medium CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12</li>
+ <li>[775527] Medium CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17</li>
+ <li>[778658] Medium CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-26</li>
+ <li>[760342] Medium CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29</li>
+ <li>[773930] Medium CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12</li>
+ <li>[785809] Medium CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16</li>
+ <li>[797497] Medium CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23</li>
+ <li>[798163] Medium CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31</li>
+ <li>[799847] Medium CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08</li>
+ <li>[763194] Low CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-09-08</li>
+ <li>[771848] Low CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall (@_aaspring_) on 2017-10-05</li>
+ <li>[774438] Low CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-13</li>
+ <li>[774842] Low CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew on 2017-10-15</li>
+ <li>[441275] Low CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso (@asanso) on 2014-12-11</li>
+ <li>[615608] Low CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by Tanner Emek on 2016-05-28</li>
+ <li>[758169] Low CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset Kabdenov on 2017-08-23</li>
+ <li>[797511] Low CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu on 2017-12-24</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-6031</cvename>
+ <cvename>CVE-2018-6032</cvename>
+ <cvename>CVE-2018-6033</cvename>
+ <cvename>CVE-2018-6034</cvename>
+ <cvename>CVE-2018-6035</cvename>
+ <cvename>CVE-2018-6036</cvename>
+ <cvename>CVE-2018-6037</cvename>
+ <cvename>CVE-2018-6038</cvename>
+ <cvename>CVE-2018-6039</cvename>
+ <cvename>CVE-2018-6040</cvename>
+ <cvename>CVE-2018-6041</cvename>
+ <cvename>CVE-2018-6042</cvename>
+ <cvename>CVE-2018-6043</cvename>
+ <cvename>CVE-2018-6045</cvename>
+ <cvename>CVE-2018-6046</cvename>
+ <cvename>CVE-2018-6047</cvename>
+ <cvename>CVE-2018-6048</cvename>
+ <cvename>CVE-2017-15420</cvename>
+ <cvename>CVE-2018-6049</cvename>
+ <cvename>CVE-2018-6050</cvename>
+ <cvename>CVE-2018-6051</cvename>
+ <cvename>CVE-2018-6052</cvename>
+ <cvename>CVE-2018-6053</cvename>
+ <cvename>CVE-2018-6054</cvename>
+ <url>https://chromereleases.googleblog.com/2018/01/stable-channel-update-for-desktop_24.html</url>
+ </references>
+ <dates>
+ <discovery>2017-08-09</discovery>
+ <entry>2018-02-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="55c4233e-1844-11e8-a712-0025908740c2">
+ <topic>tomcat -- Security constraints ignored or applied too late</topic>
+ <affects>
+ <package>
+ <name>tomcat</name>
+ <range><ge>7.0.0</ge><le>7.0.84</le></range>
+ <range><ge>8.0.0</ge><le>8.0.49</le></range>
+ <range><ge>8.5.0</ge><le>8.5.27</le></range>
+ <range><ge>9.0.0</ge><le>9.0.4</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Apache Software Foundation reports:</p>
+ <blockquote cite="https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E">
+ <p>Security constraints defined by annotations of Servlets were only
+ applied once a Servlet had been loaded. Because security constraints
+ defined in this way apply to the URL pattern and any URLs below that
+ point, it was possible - depending on the order Servlets were loaded -
+ for some security constraints not to be applied. This could have exposed
+ resources to users who were not authorised to access them.</p>
+ </blockquote>
+ <blockquote cite="https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb@%3Cannounce.tomcat.apache.org%3E">
+ <p>The URL pattern of "" (the empty string) which exactly maps to the
+ context root was not correctly handled when used as part of a security
+ constraint definition. This caused the constraint to be ignored. It was,
+ therefore, possible for unauthorised users to gain access to web
+ application resources that should have been protected. Only security
+ constraints with a URL pattern of the empty string were affected.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://tomcat.apache.org/security-9.html</url>
+ <url>http://tomcat.apache.org/security-8.html</url>
+ <url>http://tomcat.apache.org/security-7.html</url>
+ <cvename>CVE-2018-1304</cvename>
+ <cvename>CVE-2018-1305</cvename>
+ </references>
+ <dates>
+ <discovery>2018-02-23</discovery>
+ <entry>2018-02-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="22438240-1bd0-11e8-a2ec-6cc21735f730">
+ <topic>shibboleth-sp -- vulnerable to forged user attribute data</topic>
+ <affects>
+ <package>
+ <name>xmltooling</name>
+ <range><lt>1.6.4</lt></range>
+ </package>
+ <package>
+ <name>xerces-c3</name>
+ <range><lt>3.1.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Shibboleth consortium reports:</p>
+ <blockquote cite="https://shibboleth.net/community/advisories/secadv_20180227.txt">
+ <p>
+ Shibboleth SP software vulnerable to additional data forgery flaws
+ </p>
+ <p>
+ The XML processing performed by the Service Provider software has
+ been found to be vulnerable to new flaws similar in nature to the
+ one addressed in an advisory last month.
+ </p>
+ <p>
+ These bugs involve the use of other XML constructs rather than
+ entity references, and therefore required additional mitigation once
+ discovered. As with the previous issue, this flaw allows for
+ changes to an XML document that do not break a digital signature but
+ can alter the user data passed through to applications behind the SP
+ and result in impersonation attacks and exposure of protected
+ information.
+ </p>
+ <p>
+ As before, the use of XML Encryption is a significant mitigation,
+ but we have not dismissed the possibility that attacks on the
+ Response "envelope" may be possible, in both the original and this
+ new case. No actual attacks of this nature are known, so deployers
+ should prioritize patching systems that expect to handle unencrypted
+ SAML assertions.
+ </p>
+ <p>
+ An updated version of XMLTooling-C (V1.6.4) is available that
+ protects against these new attacks, and should help prevent similar
+ vulnerabilities in the future.
+ </p>
+ <p>
+ Unlike the previous case, these bugs are NOT prevented by any
+ existing Xerces-C parser version on any platform and cannot be
+ addressed by any means other than the updated XMLTooling-C library.
+ </p>
+ <p>
+ The Service Provider software relies on a generic XML parser to
+ process SAML responses and there are limitations in older versions
+ of the parser that make it impossible to fully disable Document Type
+ Definition (DTD) processing.
+ </p>
+ <p>
+ Through addition/manipulation of a DTD, it's possible to make
+ changes to an XML document that do not break a digital signature but
+ are mishandled by the SP and its libraries. These manipulations can
+ alter the user data passed through to applications behind the SP and
+ result in impersonation attacks and exposure of protected
+ information.
+ </p>
+ <p>
+ While newer versions of the xerces-c3 parser are configured by the
+ SP into disallowing the use of a DTD via an environment variable,
+ this feature is not present in the xerces-c3 parser before version
+ 3.1.4, so an additional fix is being provided now that an actual DTD
+ exploit has been identified. Xerces-c3-3.1.4 was committed to the
+ ports tree already on 2016-07-26.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://shibboleth.net/community/advisories/secadv_20180227.txt</url>
+ <cvename>CVE-2018-0489</cvename>
+ </references>
+ <dates>
+ <discovery>2018-02-27</discovery>
+ <entry>2018-02-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="57580fcc-1a61-11e8-97e0-00e04c1ea73d">
+ <topic>drupal -- Drupal Core - Multiple Vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>drupal7</name>
+ <range><lt>7.56</lt></range>
+ </package>
+ <package>
+ <name>drupal8</name>
+ <range><lt>8.4.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Drupal Security Team reports:</p>
+ <blockquote cite="https://www.drupal.org/SA-CORE-2018-001">
+ <p>CVE-2017-6926: Comment reply form allows access to restricted content</p>
+ <p>CVE-2017-6927: JavaScript cross-site scripting prevention is incomplete</p>
+ <p>CVE-2017-6928: Private file access bypass - Moderately Critical</p>
+ <p>CVE-2017-6929: jQuery vulnerability with untrusted domains - Moderately Critical</p>
+ <p>CVE-2017-6930: Language fallback can be incorrect on multilingual sites with node access restrictions</p>
+ <p>CVE-2017-6931: Settings Tray access bypass</p>
+ <p>CVE-2017-6932: External link injection on 404 pages when linking to the current page</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-6926</cvename>
+ <cvename>CVE-2017-6927</cvename>
+ <cvename>CVE-2017-6928</cvename>
+ <cvename>CVE-2017-6929</cvename>
+ <cvename>CVE-2017-6930</cvename>
+ <cvename>CVE-2017-6931</cvename>
+ <cvename>CVE-2017-6932</cvename>
+ </references>
+ <dates>
+ <discovery>2018-02-21</discovery>
+ <entry>2018-02-25</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d9fe59ea-1940-11e8-9eb8-5404a68ad561">
+ <topic>cvs -- Remote code execution via ssh command injection</topic>
+ <affects>
+ <package>
+ <name>cvs</name>
+ <range><lt>1.20120905_5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Hank Leininger reports:</p>
+ <blockquote cite="http://lists.nongnu.org/archive/html/bug-cvs/2017-08/msg00000.html">
+ <p>Bugs in Git, Subversion, and Mercurial were just announced and patched
+ which allowed arbitrary local command execution if a malicious name was
+ used for the remote server, such as starting with - to pass options to
+ the ssh client:
+ git clone ssh://-oProxyCommand=some-command...
+ CVS has a similar problem with the -d option:</p>
+ <p>Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://lists.nongnu.org/archive/html/bug-cvs/2017-08/msg00000.html</url>
+ <url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10</url>
+ <cvename>CVE-2017-12836</cvename>
+ <freebsdpr>ports/226088</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2017-08-10</discovery>
+ <entry>2018-02-24</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="289269f1-0def-11e8-99b0-d017c2987f9a">
+ <topic>LibreOffice -- Remote arbitrary file disclosure vulnerability via WEBSERVICE formula</topic>
+ <affects>
+ <package>
+ <name>libreoffice</name>
+ <range><lt>5.4.5</lt></range>
+ <range><ge>6.0.0</ge><lt>6.0.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>LibreOffice reports:</p>
+ <blockquote cite="https://www.libreoffice.org/about-us/security/advisories/cve-2018-1055/">
+ <p>LibreOffice Calc supports a WEBSERVICE function to obtain data by URL.
+ Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file
+ URL (e.g file://) which can be used to inject local files into the
+ spreadsheet without warning the user. Subsequent formulas can operate on
+ that inserted data and construct a remote URL whose path leaks the local
+ data to a remote attacker.</p>
+ <p>In later versions of LibreOffice without this flaw, WEBSERVICE has now
+ been limited to accessing http and https URLs along with bringing
+ WEBSERVICE URLs under LibreOffice Calc's link management infrastructure.</p>
+ <p><strong>Note:</strong> This vulnerability has been identified upstream
+ as CVE-2018-1055, but NVD/Mitre are advising it's a reservation
+ duplicate of CVE-2018-6871 which should be used instead.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.libreoffice.org/about-us/security/advisories/cve-2018-1055/</url>
+ <url>https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure</url>
+ <cvename>CVE-2018-6871</cvename>
+ <freebsdpr>ports/225797</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2018-02-09</discovery>
+ <entry>2018-02-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d5b6d151-1887-11e8-94f7-9c5c8e75236a">
+ <topic>squid -- Vulnerable to Denial of Service attack</topic>
+ <affects>
+ <package>
+ <name>squid</name>
+ <range><lt>3.5.27_3</lt></range>
+ </package>
+ <package>
+ <name>squid-devel</name>
+ <range><lt>4.0.23</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Louis Dion-Marcil reports:</p>
+ <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2018_1.txt">
+ <p>Due to incorrect pointer handling Squid is vulnerable to denial
+ of service attack when processing ESI responses.</p>
+ <p>This problem allows a remote server delivering certain ESI
+ response syntax to trigger a denial of service for all clients
+ accessing the Squid service.</p>
+ <p>Due to unrelated changes Squid-3.5 has become vulnerable to some
+ regular ESI server responses also triggering this issue.</p>
+ <p>This problem is limited to the Squid custom ESI parser.
+ Squid built to use libxml2 or libexpat XML parsers do not have
+ this problem.</p>
+ </blockquote>
+ <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2018_2.txt">
+ <p>Due to incorrect pointer handling Squid is vulnerable to denial
+ of service attack when processing ESI responses or downloading
+ intermediate CA certificates.</p>
+ <p>This problem allows a remote client delivering certain HTTP
+ requests in conjunction with certain trusted server responses to
+ trigger a denial of service for all clients accessing the Squid
+ service.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.squid-cache.org/Advisories/SQUID-2018_1.txt</url>
+ <url>http://www.squid-cache.org/Advisories/SQUID-2018_2.txt</url>
+ <cvename>CVE-2018-1000024</cvename>
+ <cvename>CVE-2018-1000027</cvename>
+ <url>https://www.debian.org/security/2018/dsa-4122</url>
+ <freebsdpr>ports/226138</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2017-12-13</discovery>
+ <entry>2018-02-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="933654ce-17b8-11e8-90b8-001999f8d30b">
+ <topic>asterisk -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><lt>13.19.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories HERE">
+ <p>AST-2018-004 - When processing a SUBSCRIBE request the
+ res_pjsip_pubsub module stores the accepted formats present
+ in the Accept headers of the request. This code did not
+ limit the number of headers it processed despite having
+ a fixed limit of 32. If more than 32 Accept headers were
+ present the code would write outside of its memory and
+ cause a crash.</p>
+ <p>AST-2018-005 - A crash occurs when a number of
+ authenticated INVITE messages are sent over TCP or TLS
+ and then the connection is suddenly closed. This issue
+ leads to a segmentation fault.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2018-004.html</url>
+ <cvename>CVE-2018-7284</cvename>
+ <url>https://downloads.asterisk.org/pub/security/AST-2018-005.html</url>
+ <cvename>CVE-2018-7286</cvename>
+ </references>
+ <dates>
+ <discovery>2018-02-21</discovery>
+ <entry>2018-02-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f9f5c5a2-17b5-11e8-90b8-001999f8d30b">
+ <topic>asterisk and pjsip -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><lt>13.19.2</lt></range>
+ </package>
+ <package>
+ <name>pjsip</name>
+ <range><lt>2.7.2</lt></range>
+ </package>
+ <package>
+ <name>pjsip-extsrtp</name>
+ <range><lt>2.7.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="https://www.asterisk.org/downloads/security-advisories">
+ <p>AST-2018-002 - By crafting an SDP message with an
+ invalid media format description Asterisk crashes when
+ using the pjsip channel driver because pjproject's sdp
+ parsing algorithm fails to catch the invalid media format
+ description.</p>
+ <p>AST-2018-003 - By crafting an SDP message body with
+ an invalid fmtp attribute Asterisk crashes when using the
+ pjsip channel driver because pjproject's fmtp retrieval
+ function fails to check if fmtp value is empty (set empty
+ if previously parsed as invalid).</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2018-002.html</url>
+ <url>https://downloads.asterisk.org/pub/security/AST-2018-003.html</url>
+ </references>
+ <dates>
+ <discovery>2018-02-21</discovery>
+ <entry>2018-02-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="261ca31c-179f-11e8-b8b9-6805ca0b3d42">
+ <topic>phpMyAdmin -- self XSS in central columns feature</topic>
+ <affects>
+ <package>
+ <name>phpMyAdmin</name>
+ <range><ge>4.7.0</ge><lt>4.7.8</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The phpMyAdmin team reports:</p>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2018-1/">
+ <h3>Summary</h3>
+ <p>Self XSS in central columns feature</p>
+ <h3>Description</h3>
+ <p>A self-cross site scripting (XSS) vulnerability has been
+ reported relating to the central columns feature.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be of moderate severity.</p>
+ <h3>Mitigation factor</h3>
+ <p>A valid token must be used in the attack</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.phpmyadmin.net/security/PMASA-2018-1/</url>
+ <cvename>CVE-2018-7260</cvename>
+ </references>
+ <dates>
+ <discovery>2018-02-21</discovery>
+ <entry>2018-02-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="86291013-16e6-11e8-ae9f-d43d7e971a1b">
+ <topic>GitLab -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitlab</name>
+ <range><ge>6.1.0</ge><le>10.2.7</le></range>
+ <range><ge>10.3.0</ge><le>10.3.6</le></range>
+ <range><ge>10.4.0</ge><le>10.4.2</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GitLab reports:</p>
+ <blockquote cite="https://about.gitlab.com/2018/02/07/gitlab-security-10-4-3-plus-10-3-7-plus-10-2-8-blog/">
+ <h1>SnippetFinder information disclosure</h1>
+ <p>The GitLab SnippetFinder component contained an information disclosure
+ which allowed access to snippets restricted to Only team members or
+ configured as disabled. The issue is now resolved in the latest version.</p>
+ <h1>LDAP API authorization issue</h1>
+ <p>An LDAP API endpoint contained an authorization vulnerability which
+ unintentionally disclosed bulk LDAP groups data. This issue is now fixed in
+ the latest release.</p>
+ <h1>Persistent XSS mermaid markdown</h1>
+ <p>The mermaid markdown feature contained a persistent XSS issue that is now
+ resolved in the latest release.</p>
+ <h1>Insecure direct object reference Todo API</h1>
+ <p>The Todo API was vulnerable to an insecure direct object reference issue
+ which resulted in an information disclosure of confidential data.</p>
+ <h1>GitHub import access control issue</h1>
+ <p>An improper access control weakness issue was discovered in the GitHub
+ import feature. The issue allowed an attacker to create projects under other
+ accounts which they shouldn't have access to. The issue is now resolved in
+ the latest version.</p>
+ <h1>Protected variables information disclosure</h1>
+ <p>The CI jobs protected tag feature contained a vulnerability which
+ resulted in an information disclosure of protected variables. The issue is
+ now resolved in the latest release.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://about.gitlab.com/2018/02/07/gitlab-security-10-4-3-plus-10-3-7-plus-10-2-8-blog/</url>
+ </references>
+ <dates>
+ <discovery>2018-02-07</discovery>
+ <entry>2018-02-21</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7afc5e56-156d-11e8-95f2-005056925db4">
+ <topic>irssi -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>irssi</name>
+ <range><lt>1.1.1,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Irssi reports:</p>
+ <blockquote cite="https://irssi.org/security/irssi_sa_2018_02.txt">
+ <p>Use after free when server is disconnected during netsplits.
+ Found by Joseph Bisch.</p>
+ <p>Use after free when SASL messages are received in unexpected order.
+ Found by Joseph Bisch.</p>
+ <p>Null pointer dereference when an “empty” nick has been observed by
+ Irssi. Found by Joseph Bisch.</p>
+ <p>When the number of windows exceed the available space, Irssi would
+ crash due to Null pointer dereference. Found by Joseph Bisch.</p>
+ <p>Certain nick names could result in out of bounds access when printing
+ theme strings. Found by Oss-Fuzz.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://irssi.org/security/irssi_sa_2018_02.txt</url>
+ <cvename>CVE-2018-7054</cvename>
+ <cvename>CVE-2018-7053</cvename>
+ <cvename>CVE-2018-7052</cvename>
+ <cvename>CVE-2018-7051</cvename>
+ <cvename>CVE-2018-7050</cvename>
+ <freebsdpr>ports/226001</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2018-02-15</discovery>
+ <entry>2018-02-19</entry>
+ <modified>2018-02-22</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="a183acb5-1414-11e8-9542-002590acae31">
+ <topic>p5-Mojolicious -- cookie-handling vulnerability</topic>
+ <affects>
+ <package>
+ <name>p5-Mojolicious</name>
+ <range><lt>7.66</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Upstream commit:</p>
+ <blockquote cite="https://github.com/kraih/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149">
+ <p>Vulnerabilities existed in cookie handling.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/kraih/mojo/issues/1185</url>
+ </references>
+ <dates>
+ <discovery>2018-01-31</discovery>
+ <entry>2018-02-17</entry>
+ </dates>
+ </vuln>
+
<vuln vid="22283b8c-13c5-11e8-a861-20cf30e32f6d">
<topic>Bugzilla security issues</topic>
<affects>
@@ -694,7 +1680,7 @@
</package>
<package>
<name>ja-mailman</name>
- <range><le>2.1.14.j7_2,1</le></range>
+ <range><le>2.1.14.j7_3,1</le></range>
</package>
</affects>
<description>
More information about the Midnightbsd-cvs
mailing list